Small organizations spend more per user on security than medium- and large-sized organizations. Show
True False True 1. Small organizations spend more per user on security than medium- and large-sized organizations. a. b. True 2. Legal assessment for the implementation of the information security program is almost always done by the information security or IT departments. a. b. False 3. Threats from insiders are more likely in a small organization than in a large one. a. b. False 4. The security education, training, and awareness (SETA) program is designed to reduce the occurence of external security attacks. a. b. False 5. On-the-job training can result in substandard work performance while the trainee gets up to speed. a. b. True 6. The first step in the work breakdown structure (WBS) approach encompasses activities, but not deliverables. a. b. False 7. Planners need to estimate the effort required to complete each task, subtask, or action step. a. b. True 8. The work breakdown structure (WBS) can only be prepared with a complex specialized desktop PC application. a. b. False 9. A task or subtask becomes a(n) action step when it can be completed by one individual or skill set and when it includes a single deliverable. _________________________ True 10. Each organization has to determine its own project management methodology for IT and information security projects. a. b. True 11. In the early stages of planning, the project planner should attempt to specify completion dates only for major employees within the project. _________________________ False - milestones 12. Most information security projects require a trained project developer. _________________________ False - manager 13. Which of the following variables is the most influential in determining how to structure an information security program? a. c. d 14. Which of the following is true about the security staffing, budget, and needs of a medium-sized organization? a. b. c. d. d 15. Which of the following functions includes identifying the sources of risk and may include offering advice on controls that can reduce risk? a. c. b 16. Which of the following functions needed to implement the information security program evaluates patches used to close software vulnerabilities and acceptance testing of new systems to assure compliance with policy and effectiveness? a. c. a 17. Which function needed to implement the information security program includes researching, creating, maintaining, and promoting information security plans? a. c. c 18. Which of the following is NOT among the functions typically performed within the InfoSec department as a compliance enforcement obligation? a. b. c. d. b 19. Which of the following would be responsible for configuring firewalls and IDPSs, implementing security software, and diagnosing and troubleshooting problems? a. c. a 20. GGG security is commonly used to describe which aspect of security? a. c. c 21. What is the SETA program designed to do? a. b. c. d. c 22. A SETA program consists of three elements: security education, security training, and which of the following?. a. c. c 23. The purpose of SETA is to enhance security in all but which of the following ways?
a. b. c. d. b 24. Advanced technical training can be selected or developed based on which of the following? a. c. c 25. Which of the following is the first step in the process of implementing training? a. b. c. d. c 26. Which of the following is an advantage of the one-on-one method of training? a. c. c 27. Which of the following is a disadvantage of the one-on-one training method? a. b. c. d. d 28. Which of the following is an advantage of the formal class method of training? a. b. c. d. d 29. Which of the following is an advantage of the user support group form of training? a. b. c. d. a 31. __________ is a simple project management planning tool. a. c. b 32. Which of the following is the most cost-effective method for disseminating security information and news to employees? a. c. d 34. An organization's information security program refers to the entire set of activities, resources, personnel, and technologies used by an organization to manage the risks to the information _______ of the organization. assets 35. An organization carries out a risk ____________________ function to evaluate risks present in IT initiatives and/or systems. assessment 36. A study of information security positions found that positions can be classified into one of three types: ____________________ are the real technical types, who create and install security solutions. builders 37. The information security ____________________ is usually brought in when the organization makes the decision to outsource one or more aspects of its security program. consultant 38. The ____________________ program is designed to reduce the occurrence of accidental security breaches by members of the organization. security education, training, and awareness 39. Project ____________________ is a description of a project's features, capabilities, functions, and quality level, used as the basis of a project plan. scope 40. A(n) ____________________ is a specific point in the project plan when a task that has a noticeable impact on plan's the progress is complete. Milestone 41. The project planner should describe the skills or personnel needed for a task, often referred to as a(n) ____________________, needed to accomplish a task. resource 42. The three methods for selecting or developing advanced technical training are by job category, by job function, and by ____________________. technology product 43. The goal of a security ____________________ program is to keep information security at the forefront of users' minds on a daily basis. awareness 44. ____________________ is a phenomenon in which the project manager spends more time documenting project tasks, collecting performance measurements, recording project task information, and updating project completion forecasts than in accomplishing meaningful project work. Projectitis 45. Explain the conflict between the goals and objectives of the CIO and the CISO. The CIO, as the executive in charge of the organization's technology, manages the efficiency in the processing and accessing of the organization's information. Anything that limits access or slows information processing directly contradicts the CIO's mission. On the other hand, the CISO functions more like an internal auditor, with the information security department examining existing systems to discover information security faults and flaws in technology, software, and employees' activities and processes. At times, these activities may disrupt the processing and accessing of the organization's information. 46. What is the security education, training, and awareness program? Describe how the program aims to enhance security. The security education, training, and awareness (SETA) program is designed
to reduce the occurence of accidental security breaches by members of the organization. The program aims to enhance security in three ways: 47. List the steps of the seven-step methodology for implementing training. The seven-step methodology for implementing training is as follows: 48. What are some of the variables that determine how a given organization chooses to construct its InfoSec program? Among the variables that determine how a given organization chooses to structure its information security (InfoSec) program are organizational culture, size, security personnel budget, and security capital budget. 49. What are the four areas into which it is recommended to separate the functions of security? Functions performed by nontechnology business units outside the IT area of management 50. Which security functions are normally performed by IT groups outside the InfoSec area of management control? Systems security administration 51. What are the components of the security program element described as preparing for contingencies and disasters? Business plan, identify resources, develop scenarios, develop strategies, test and revise plan. 52. What is the Chief Information Security Office primarily responsible for? The CISO is primarily responsible for the assessment, management, and implementation of the program that secures the organization's information. 53. What is the role of help desk personnel in the InfoSec team? An
important part of the InfoSec team is the help desk, which enhances the security team's ability to identify potential problems. When a user calls the help desk with a complaint about his or her computer, the network, or an Internet connection, the user's problem may turn out to be related to a bigger problem, such as a hacker, a DoS attack, or a virus. 54. What is the purpose of a security awareness program? What advantage does an awareness program have for the InfoSec program? A security awareness program keeps InfoSec at the forefront of users' minds on a daily basis. Awareness serves to instill a sense of responsibility and purpose in employees who handle and manage information, and it leads employees to care more about their work environment. 30. Which of the following is NOT a step in the process of implementing training? a. b. c. d. # 33. Which of the following is true about a company's InfoSec awareness Web site? a. b. c. d. # What is the purpose of a security awareness program What advantage does an awareness program have for the InfoSec program?Security awareness training is a strategy used by IT and security professionals to prevent and mitigate user risk. These programs are designed to help users and employees understand the role they play in helping to combat information security breaches.
Which of the following is considered one of the least frequently implemented but most effective security methods?One of the least frequently implemented, but most effective security methods is the security awareness program.
What is the most influential variable affecting the structure of an information security program?An organization's size is the variable that has the greatest influence on the structure of the organization's information security program.
What is the security education training and awareness program describe how the program aims to enhance security?A Security Education, Training and Awareness (SETA) program can be defined as an educational program that is designed to reduce the number of security breaches that occur through a lack of employee security awareness.
|